2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
24 * Overall policy used to verify the security of an incoming message.
28 #include "exceptions.h"
29 #include "binding/SecurityPolicy.h"
30 #include "binding/SecurityPolicyRule.h"
31 #include "saml2/core/Assertions.h"
33 #include <xercesc/util/XMLUniDefs.hpp>
35 using namespace opensaml::saml2md;
36 using namespace opensaml::saml2;
37 using namespace opensaml;
38 using namespace xmltooling;
42 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory AudienceRestrictionRuleFactory;
43 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ClientCertAuthRuleFactory;
44 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory ConditionsRuleFactory;
45 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory IgnoreRuleFactory;
46 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory MessageFlowRuleFactory;
47 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory NullSecurityRuleFactory;
48 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory SimpleSigningRuleFactory;
49 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory XMLSigningRuleFactory;
52 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory BrowserSSORuleFactory;
56 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory BearerConfirmationRuleFactory;
57 SAML_DLLLOCAL PluginManager<SecurityPolicyRule,string,const DOMElement*>::Factory DelegationRestrictionRuleFactory;
61 void SAML_API opensaml::registerSecurityPolicyRules()
63 SAMLConfig& conf=SAMLConfig::getConfig();
64 conf.SecurityPolicyRuleManager.registerFactory(AUDIENCE_POLICY_RULE, AudienceRestrictionRuleFactory);
65 conf.SecurityPolicyRuleManager.registerFactory(CLIENTCERTAUTH_POLICY_RULE, ClientCertAuthRuleFactory);
66 conf.SecurityPolicyRuleManager.registerFactory(CONDITIONS_POLICY_RULE, ConditionsRuleFactory);
67 conf.SecurityPolicyRuleManager.registerFactory(IGNORE_POLICY_RULE, IgnoreRuleFactory);
68 conf.SecurityPolicyRuleManager.registerFactory(MESSAGEFLOW_POLICY_RULE, MessageFlowRuleFactory);
69 conf.SecurityPolicyRuleManager.registerFactory(NULLSECURITY_POLICY_RULE, NullSecurityRuleFactory);
70 conf.SecurityPolicyRuleManager.registerFactory(SIMPLESIGNING_POLICY_RULE, SimpleSigningRuleFactory);
71 conf.SecurityPolicyRuleManager.registerFactory(XMLSIGNING_POLICY_RULE, XMLSigningRuleFactory);
72 conf.SecurityPolicyRuleManager.registerFactory(SAML1BROWSERSSO_POLICY_RULE, saml1::BrowserSSORuleFactory);
73 conf.SecurityPolicyRuleManager.registerFactory(BEARER_POLICY_RULE, saml2::BearerConfirmationRuleFactory);
74 conf.SecurityPolicyRuleManager.registerFactory(DELEGATION_POLICY_RULE, saml2::DelegationRestrictionRuleFactory);
77 SecurityPolicyRule::SecurityPolicyRule()
81 SecurityPolicyRule::~SecurityPolicyRule()
85 SecurityPolicy::SecurityPolicy(
86 const saml2md::MetadataProvider* metadataProvider,
87 const xmltooling::QName* role,
88 const xmltooling::TrustEngine* trustEngine,
90 ) : m_metadataCriteria(nullptr),
93 m_issuerRole(nullptr),
94 m_authenticated(false),
95 m_matchingPolicy(nullptr),
96 m_metadata(metadataProvider),
104 m_role = new xmltooling::QName(*role);
107 SecurityPolicy::~SecurityPolicy()
110 delete m_metadataCriteria;
114 const MetadataProvider* SecurityPolicy::getMetadataProvider() const
119 MetadataProvider::Criteria& SecurityPolicy::getMetadataProviderCriteria() const
121 if (!m_metadataCriteria)
122 m_metadataCriteria=new MetadataProvider::Criteria();
124 m_metadataCriteria->reset();
125 return *m_metadataCriteria;
128 const xmltooling::QName* SecurityPolicy::getRole() const
133 const TrustEngine* SecurityPolicy::getTrustEngine() const
138 bool SecurityPolicy::getValidating() const
143 bool SecurityPolicy::requireEntityIssuer() const
148 const vector<xstring>& SecurityPolicy::getAudiences() const
153 vector<xstring>& SecurityPolicy::getAudiences()
158 time_t SecurityPolicy::getTime() const
161 return m_ts = time(nullptr);
165 const XMLCh* SecurityPolicy::getCorrelationID() const
167 return m_correlationID.c_str();
170 vector<const SecurityPolicyRule*>& SecurityPolicy::getRules()
175 void SecurityPolicy::setMetadataProvider(const MetadataProvider* metadata)
177 m_metadata = metadata;
180 void SecurityPolicy::setMetadataProviderCriteria(MetadataProvider::Criteria* criteria)
182 if (m_metadataCriteria)
183 delete m_metadataCriteria;
184 m_metadataCriteria=criteria;
187 void SecurityPolicy::setRole(const xmltooling::QName* role)
190 m_role = role ? new xmltooling::QName(*role) : nullptr;
193 void SecurityPolicy::setTrustEngine(const TrustEngine* trust)
198 void SecurityPolicy::setValidating(bool validate)
200 m_validate = validate;
203 void SecurityPolicy::requireEntityIssuer(bool entityOnly)
205 m_entityOnly = entityOnly;
208 void SecurityPolicy::setTime(time_t ts)
213 void SecurityPolicy::setCorrelationID(const XMLCh* correlationID)
215 m_correlationID.erase();
217 m_correlationID = correlationID;
220 void SecurityPolicy::evaluate(const XMLObject& message, const GenericRequest* request)
222 for (vector<const SecurityPolicyRule*>::const_iterator i=m_rules.begin(); i!=m_rules.end(); ++i)
223 (*i)->evaluate(message,request,*this);
226 void SecurityPolicy::reset(bool messageOnly)
231 void SecurityPolicy::_reset(bool messageOnly)
238 m_issuerRole=nullptr;
239 m_authenticated=false;
243 const XMLCh* SecurityPolicy::getMessageID() const
245 return m_messageID.c_str();
248 time_t SecurityPolicy::getIssueInstant() const
250 return m_issueInstant;
253 const Issuer* SecurityPolicy::getIssuer() const
258 const RoleDescriptor* SecurityPolicy::getIssuerMetadata() const
263 bool SecurityPolicy::isAuthenticated() const
265 return m_authenticated;
268 void SecurityPolicy::setMessageID(const XMLCh* id)
275 void SecurityPolicy::setIssueInstant(time_t issueInstant)
277 m_issueInstant = issueInstant;
280 void SecurityPolicy::setIssuer(const Issuer* issuer)
282 if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
283 throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
286 if (m_entityOnly && issuer->getFormat() && !XMLString::equals(issuer->getFormat(), NameIDType::ENTITY))
287 throw SecurityPolicyException("A non-entity Issuer was supplied, violating policy.");
288 m_issuerRole = nullptr;
289 m_issuer=issuer->cloneIssuer();
293 void SecurityPolicy::setIssuer(const XMLCh* issuer)
295 if (!getIssuerMatchingPolicy().issuerMatches(m_issuer, issuer))
296 throw SecurityPolicyException("An Issuer was supplied that conflicts with previous results.");
298 if (!m_issuer && issuer && *issuer) {
299 m_issuerRole = nullptr;
300 m_issuer = IssuerBuilder::buildIssuer();
301 m_issuer->setName(issuer);
305 void SecurityPolicy::setIssuerMetadata(const RoleDescriptor* issuerRole)
307 if (issuerRole && m_issuerRole && issuerRole!=m_issuerRole)
308 throw SecurityPolicyException("A rule supplied a RoleDescriptor that conflicts with previous results.");
309 m_issuerRole=issuerRole;
312 void SecurityPolicy::setAuthenticated(bool auth)
314 m_authenticated = auth;
317 SecurityPolicy::IssuerMatchingPolicy::IssuerMatchingPolicy()
321 SecurityPolicy::IssuerMatchingPolicy::~IssuerMatchingPolicy()
325 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const Issuer* issuer2) const
327 // nullptr matches anything for the purposes of this interface.
328 if (!issuer1 || !issuer2)
331 const XMLCh* op1=issuer1->getName();
332 const XMLCh* op2=issuer2->getName();
333 if (!op1 || !op2 || !XMLString::equals(op1,op2))
336 op1=issuer1->getFormat();
337 op2=issuer2->getFormat();
338 if (!XMLString::equals(op1 ? op1 : NameIDType::ENTITY, op2 ? op2 : NameIDType::ENTITY))
341 op1=issuer1->getNameQualifier();
342 op2=issuer2->getNameQualifier();
343 if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
346 op1=issuer1->getSPNameQualifier();
347 op2=issuer2->getSPNameQualifier();
348 if (!XMLString::equals(op1 ? op1 : &chNull, op2 ? op2 : &chNull))
354 bool SecurityPolicy::IssuerMatchingPolicy::issuerMatches(const Issuer* issuer1, const XMLCh* issuer2) const
356 // nullptr matches anything for the purposes of this interface.
357 if (!issuer1 || !issuer2 || !*issuer2)
360 const XMLCh* op1=issuer1->getName();
361 if (!op1 || !XMLString::equals(op1,issuer2))
364 op1=issuer1->getFormat();
365 if (op1 && *op1 && !XMLString::equals(op1, NameIDType::ENTITY))
368 op1=issuer1->getNameQualifier();
372 op1=issuer1->getSPNameQualifier();
379 SecurityPolicy::IssuerMatchingPolicy SecurityPolicy::m_defaultMatching;
381 const SecurityPolicy::IssuerMatchingPolicy& SecurityPolicy::getIssuerMatchingPolicy() const
383 return m_matchingPolicy ? *m_matchingPolicy : m_defaultMatching;
386 void SecurityPolicy::setIssuerMatchingPolicy(IssuerMatchingPolicy* matchingPolicy)
388 delete m_matchingPolicy;
389 m_matchingPolicy = matchingPolicy;